foundeo
play

foundeo 1 Who am I? 10+ Years using ColdFusion My Company - PowerPoint PPT Presentation

Writing Secure CFML Presented By Pete Freitag Principal Consultant, Foundeo Inc. New York City ColdFusion User Group - Nov 10, 2009 foundeo 1 Who am I? 10+ Years using ColdFusion My Company Foundeo Inc. ColdFusion Consulting


  1. Writing Secure CFML Presented By Pete Freitag Principal Consultant, Foundeo Inc. New York City ColdFusion User Group - Nov 10, 2009 foundeo 1

  2. Who am I? • 10+ Years using ColdFusion • My Company Foundeo Inc. • ColdFusion Consulting • ColdFusion Products 2

  3. Agenda: 1. Unchecked Input 2. File Uploads 3. XSS - Cross Site Scripting 4. SQL Injection 5. Cross Site Request Forgery 6. CRLF Injection 3

  4. Web Apps Targeted 40% 32% 24% 16% 8% 0% 2001 2002 2003 2004 2005 2006 Web (XSS + SQL Injections) Buffer Overflows Source: http://cwe.mitre.org/documents/vuln-trends.html#table1 4

  5. Three Simple Rules • Trust No One • Be Paranoid • Validate Everything 5

  6. Security vs. Usability Usability Security 6

  7. Security Tradeoffs • Security vs. Usability • Security vs. Performance • Security vs. Time / Effort / Money 7

  8. Unchecked Input • The Cause of Most Security Problems • Server Side Validation • IsValid Function • Regular Expressions 8

  9. What are the inputs in a Web App? 9

  10. The HTTP Request • URL Variables • FORM Variables • Cookies • HTTP Request Headers (CGI Scope) • User Agent • Referrer 10

  11. What are the Inputs? • Data sources used in your Application: • Databases • Files • HTTP and Web Service Responses • etc. 11

  12. Uploading Files • Most Web Sites let you Upload Photos or files. • Potentially the most dangerous thing your app will do. 12

  13. Example: File Uploads 13

  14. Best Practices for File Uploads • Upload to a directory outside the web root or to a static content server (S3). • Always Check the File Extension • cffile.serverFileExt • Use the “accept” attribute, but never trust it. • Check File Names as well 14

  15. Best Practices for File Uploads • Validate file is in proper format • IsImageFile() • IsPDFFile() • jHOVE - Java API • More: http://www.petefreitag.com/item/701.cfm 15

  16. Cross Site Scripting • Attacker crafts a request that executes a client side script. • Usually JavaScript • Flash • Applet • IFRAME • ActiveX 16

  17. What’s So Bad About XSS • Stealing Cookies (session) • Phishing 17

  18. XSS Examples 18

  19. ScriptProtect • ColdFusion 7 Introduced ScriptProtect feature. • Catches many but not all XSS attacks. • Enabled globally or at the application level. • Configurable Regular Expressions • WEB-INF/cfusion/lib/neo- security.xml 19

  20. Preventing XSS • Escape HTML Tags and Quotes and more. • XMLFormat() • Escapes double quotes, single quotes and <tags>. • HTMLEditFormat() • Escapes <tags> and double quotes but not single quotes. • Make Your Own Function (best) • Escape or Remove: < > ‘ “ ( ) ; # 20

  21. Preventing XSS • Validate Inputs • Enforce Maximum String Length • Convert Case (JS is case sensitive) 21

  22. SQL Injection • Very Dangerous • Execute ANY SQL Statement • Or ANY Program! • xp_cmdshell • Very Easy to Prevent 22

  23. Classic SQL Injection Example <cfquery datasource=”db” name=”news”> SELECT title, story FROM news WHERE id = #url.id# </cfquery> /news.cfm?id=8;DELETE+FROM+news 23

  24. Preventing SQL Injection <cfquery datasource=”db” name=”news”> SELECT title, story FROM news WHERE id = <cfqueryparam value=”#url.id#” cfsqltype=”cf_sql_integer”> </cfquery> 24

  25. CFQUERYPARAM • Can and should be used in • WHERE Clauses • INSERT Statements • UPDATE Statements • All variables in your query • Where allowed 25

  26. Cross Site Request Forgery • How “samy”, a MySpace user made 1 million friends in less than 20 hours. 26

  27. Cross Site Request Forgery • Samy found a clever way to execute javascript on his MySpace profile page. • Whenever a MySpace user visited his profile samy’s script would add himself as a friend on their profile. • For a few hours Samy caused MySpace to shut down for “maintenance”. 27

  28. Cross Site Request Forgery • Takes advantage of a logged in user. • Performs a privileged action on their behalf. 28

  29. CSRF + XSS • You don’t need an XSS hole to perform a Cross Site Request Forgery (CSRF). • However, with an XSS hole, HTTP POST requests can be executed behind the scenes with AJAX. • CSRF could be performed by an IFRAME on a malicious web site. 29

  30. Cross Site Request Forgery Example 30

  31. Mitigating CSRF Attacks • Server Side Confirmations • Require HTTP POST when performing operations. • Don’t allow foreign HTTP referrers. • Require password for sensitive operations. • Include a hash in the form based on authenticated user’s credentials. 31

  32. CRLF Injection <cfheader name=”Content-Type” value=”#url.type#”> • CRLF = Chr(13) & Chr(10) • CFHEADER 32

  33. Session Hijacking • If an attacker knows a user’s session id(s) (CFTOKEN & CFID) they can impersonate the user. 33

  34. Ways Session ID’s are Compromised • Passing CFID & CFTOKEN in query string. • CFLOCATION does this by default, use addtoken=”false” • Cookies can be stolen with cross site scripting attacks. • Traffic sniffing 34

  35. Ways to Prevent Hijacking • Use SSL • Don’t put session ids in the URL • Use long session ids • Enable “Use UUID for CFTOKENs” • J2EE Sessions • Secure & HTTPOnly Cookies • Integrity checking 35

  36. Don’t Disclose Server Details • Error messages may show: • File Paths • Source Code • Database Table and Column Names • Use a Global Error Handler or CFERROR 36

  37. Require SSL / HTTPS • Prevent sniffing • Browsers run at a higher security level lowering success rates on some attacks. • Secure cookies • <cfcookie secure=”true” ...> 37

  38. HackMyCF.com 38

  39. Foundeo’s Web Application Firewall for Coldfusion ๏ Announcing Version 2.0 ‣ Lower Price (starts at $349/app) ‣ Log Viewer GUI ‣ File Upload Filter ‣ foundeo.com/security/ 39

  40. Thanks. www.petefreitag.com www.foundeo.com 40

More recommend